Week 2 — Build Verification Walkthrough

Web UI shell (preferred — clipboard works)

In Safari, open https://10.10.10.10:8006 → log in as root → in the left tree click the node tctmachine → top tab >_ Shell. A web terminal opens with prompt root@tctmachine:~#.

Alternative: from your Mac Terminal, ssh root@10.10.10.10. Same result, but the web shell pastes more reliably from macOS.

Paste this single block, hit Enter

# prints host info, all bridges, /etc/network/interfaces, qm list, then every VM config
echo "=== HOST ==="
hostname
pveversion
ip -br addr
echo
echo "=== BRIDGES (/etc/network/interfaces) ==="
cat /etc/network/interfaces
echo
echo "=== VM LIST ==="
qm list
echo
for id in 100 101 102 103 104; do
  echo
  echo "=========================================="
  echo "  VM $id"
  echo "=========================================="
  qm config $id 2>&1
done

Resolves "where do the NAT rules actually live"

echo "=== NAT / iptables — where do the rules live? ==="
ls -la /etc/network/interfaces.d/ 2>/dev/null
echo "--- interfaces.d contents ---"
cat /etc/network/interfaces.d/* 2>/dev/null || echo "(empty or missing)"
echo
echo "--- /etc/iptables/rules.v4 ---"
cat /etc/iptables/rules.v4 2>/dev/null || echo "(no persistent file)"
echo
echo "--- live nat table ---"
iptables -t nat -L -n -v
echo
echo "--- ip_forward sysctl ---"
sysctl net.ipv4.ip_forward
grep -H ip_forward /etc/sysctl.conf /etc/sysctl.d/*.conf 2>/dev/null

ARP cache lookup

The Proxmox web console doesn't accept clipboard paste, so we SSH in from the host shell instead. First find the jumpbox IP from the host's ARP table on vmbr1:

ip neigh show dev vmbr1

Look for the line whose MAC matches the jumpbox's net0 from VM 101's config (BC:24:11:12:5A:69). That's your IP. In our build it landed on 172.16.0.100 via DHCP from pfSense2.

Use the host shell as the SSH origin

ssh tct_jumpbox@172.16.0.100

Type yes on the first connection to accept the host key. Enter the password you set at install. Now you're inside the jumpbox and in a paste-friendly terminal (because the host's web shell carried the paste support through the SSH session).

Network, OS, SSH config, UFW, gateway test

echo "=== JUMPBOX (VM 101) ==="
hostnamectl
echo
echo "--- network ---"
ip -br addr
ip route
resolvectl status | grep -E "DNS Servers|Current DNS|Link "
echo
echo "--- OS / packages ---"
lsb_release -a 2>/dev/null
uname -r
echo
echo "--- SSH config status ---"
sudo grep -E '^(Port|PermitRootLogin|PasswordAuthentication|AllowUsers|MaxAuthTries|PubkeyAuthentication)' /etc/ssh/sshd_config
sudo grep -rE '^(Port|PermitRootLogin|PasswordAuthentication)' /etc/ssh/sshd_config.d/ 2>/dev/null
sudo systemctl is-active ssh
sudo systemctl is-enabled ssh
echo
echo "--- UFW ---"
sudo ufw status verbose
echo
echo "--- who is the gateway really? ---"
ip route get 8.8.8.8

Quick check via the FreeBSD-style menu

Proxmox UI → click VM 103 (PFsense2) in the left tree → top-right tab >_ Console. The noVNC window opens to pfSense's blue text menu. Press Enter once to refresh the header — that prints the welcome banner with all three interface IPs without typing a single command.

What you should see at the top:

*** Welcome to pfSense 2.8.1-RELEASE (amd64) on pfSense ***

  WAN (wan)  -> vtnet0  -> v4: 10.10.110.10/16
  DMZ (lan)  -> vtnet1  -> v4: 172.16.0.1/24
  LAN (opt1) -> vtnet2  -> v4: 192.168.0.1/24

Tunnel through the Proxmox host

From your Mac Terminal (not the Proxmox web shell), run:

ssh -L 8443:172.16.0.1:443 root@10.10.10.10

That forwards localhost:8443 on your Mac → through the Proxmox host (which has 172.16.0.10 on vmbr1) → to pfSense2's web UI on its DMZ interface. Leave the SSH session open. Then in Safari open:

https://localhost:8443

Accept the self-signed cert warning. Log in as admin with whatever password you set (or pfsense if you haven't changed it — and you should).

Six screenshots, in this order

1. Status → Dashboard — version, uptime, interfaces, DNS servers
2. Services → DHCP Server → DMZ tab — General Settings + Primary Address Pool
3. Services → DHCP Server → LAN tab — same sections
4. Services → DNS Resolver → General Settings — interfaces, DNSSEC, listen ports
5. Firewall → NAT → Outbound — confirms automatic NAT mode
6. Status → DHCP Leases — current leases (jumpbox + WinSrv)

Proxmox noVNC console

Click VM 102 (WinSrv) in the Proxmox tree → >_ Console. Click in the console area, press a key, sign in as Administrator. Server Manager opens automatically on first login.

One-shot view of all server properties

Server Manager → Local Server in the left sidebar. The right pane shows Properties (firewall state, RDP state, time zone, edition, etc.) and at the very bottom the ROLES AND FEATURES panel listing every installed component.

Screenshot the top of Local Server, then scroll down and screenshot the Roles and Features panel.

Authoritative IP/DNS/DHCP info

Press Win key → type cmd → Enter. Then:

ipconfig /all

Screenshot the entire window. Confirms host name, MAC, IPv4, subnet, gateway, DNS servers, DHCP server, lease window — straight from Windows.

Eval install date and version

Win+I → System → scroll to bottom → About. Records edition, version (24H2), OS build, and most importantly Installed on date. Add 180 days to compute the eval expiration.

Prevent the VM from rebooting back into the installer

While the installer is still running its curtin install phase (or right after, before clicking Reboot Now):

1. Proxmox UI → click VM 105 (LinuxServer) → left tab Hardware
2. Find the row CD/DVD Drive (ide2) with the Ubuntu ISO
3. Double-click → change "ISO image" to Do not use any media → OK

That ensures the next boot goes to scsi0 (the freshly installed disk) instead of looping back into the installer.

Sanity-check the install

After reboot, log in at the console with the username/password set during install. Then paste:

echo "=== LINUXSERVER (VM 105) ==="
hostnamectl
echo
echo "--- network ---"
ip -br addr
ip route
resolvectl status | grep -E "DNS Servers|Current DNS|Link "
echo
echo "--- internet test (proves NAT through pfSense2) ---"
ping -c 2 192.168.0.1
ping -c 2 1.1.1.1
ping -c 2 google.com
echo
echo "--- SSH service ---"
sudo systemctl is-active ssh
sudo systemctl is-enabled ssh
sudo ss -tlnp | grep ssh
echo
echo "--- OS version ---"
lsb_release -a 2>/dev/null
uname -r

Expected: 192.168.0.20/24 on ens18, default route via 192.168.0.1, all three pings succeed, sshd active+enabled+listening on :22.

The realistic admin workflow

From the jumpbox, SSH to the LinuxServer via its LAN IP:

ssh <your-username>@192.168.0.20

This proves pfSense2's firewall is allowing DMZ (172.16.0.0/24) → LAN (192.168.0.0/24) on port 22. If it fails with "Connection timed out", the issue is pfSense's firewall rules — Firewall → Rules → DMZ — by default pfSense allows DMZ-net traffic out, but if you've tightened the rules, you may need an explicit "DMZ → LAN port 22 ALLOW".

Insurance for the rest of Week 2

Before NGINX/MariaDB/syslog/etc., take a Proxmox snapshot so you can roll back cleanly if anything breaks:

1. Proxmox UI → VM 105 → left tab Snapshots → Take Snapshot
2. Name: fresh-install
3. Description: "Ubuntu Server installed, static IP set, SSH up. No services yet."
4. ✓ Include RAM = unchecked (the VM is in a known stable state, no need)
5. Click Take Snapshot

Roles per the lab guide

1. System update first — sudo apt update && sudo apt upgrade -y
2. NGINX — sudo apt install -y nginx · place a custom index.html in /var/www/html/ · test from WinSrv: curl http://192.168.0.20
3. MariaDB — sudo apt install -y mariadb-server · run sudo mysql_secure_installation · create test database capstoneDB
4. NTP — already handled by systemd-timesyncd on Ubuntu Server; verify with timedatectl. Optional: install chrony if a stricter NTP daemon is required.
5. rsyslog forwarder (Week 3 prep) — edit /etc/rsyslog.conf to forward to a central collector when one exists
6. UFW — sudo ufw allow 22 · sudo ufw allow 80 · sudo ufw allow 443 · sudo ufw enable (mirrors jumpbox UFW posture)

Same procedure as VM 105, with the GUI option

1. Boot VM 104 (already has the Desktop ISO on ide2)
2. Walk through the GNOME-style installer · timezone Central · install third-party drivers if prompted
3. Set hostname (suggest linuxdesktop) · pick admin user · enable login automatically (optional, lab-only)
4. After install: detach ISO via Hardware tab (same as VM 105 Step 5.1)
5. Boot · open Settings → Network → Wired → ⚙ → IPv4 tab → Manual · address 192.168.0.25 · netmask 255.255.255.0 · gateway 192.168.0.1 · DNS 192.168.0.1 · Apply
6. Toggle the switch off+on to apply, then test: open Firefox → http://192.168.0.20 (NGINX welcome page once installed)
7. Optional: install openssh-server for remote testing — sudo apt install -y openssh-server